Jail for the man who helped Russia hack Yahoo’s email accounts

Remember when Yahoo seemed to have been beset by hack after hack after hack?

In September 2016, Yahoo revealed that the personal data of over 500 million users had been stolen by hackers in 2014.

As if that wasn’t bad enough, three months later the firm revealed that an even larger hack had occurred – a massive security breach had seen hackers access data belonging to up to billions of Yahoo user accounts.

That mega-hack took place in August 2013, with the attackers creating forged cookies that could permit access to users’ accounts without needing any passwords whatsoever. But Yahoo didn’t go public about the breach until December 2016, advising users to be cautious of unsolicited communications and to ensure that they were not using the same passwords and security questions/answers on any other online accounts.

The timing for the company couldn’t have been worse, as it was in the process of trying to sell itself to Verizon.

But it was hard to feel too sorry for Yahoo, as it was revealed that some of its staff had known since 2014 that its systems had been compromised by what it believed to be a “state-sponsored attacker”.

And it’s also hard to feel too much sympathy for Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, both officers in Russia’s FSB, who the FBI believes directed and paid the hackers involved in the 500 million user account heist.

Nor does my heart cry out for another Russian, Alexsey Alexseyevich Belan (also known as “Magg”), who the US Department of Justice claimed had gained access to the Yahoo User Database (UDB) and details of how to create account authentication web browser cookies.

According to US authorities, the fourth member of the gang was Karim Baratov, a resident of Canada who was extradited to the United States, and pleaded guilty to conspiracy to commit computer fraud and identity theft.

According to prosecutors, Baratov was paid by FSB officer Dokuchaev to hack into at least 80 webmail accounts, including at least 50 belonging to Google users. Baratov had been compromising webmail accounts, charging customers $100 per hack, since he was a teenager. Specifically, Kazakhstan-born Baratov advertised his services to Russian language speakers across the globe.

In all, Baratov is believed to have made more than US $1.1 million through his hacks, using his illegal income to purchase a house and expensive cars such as a Lamborghini, Porsche, Aston Martin, Mercedes, and BMW.

This week Baratov has been sentenced to five years in prison, avoiding the 94-month sentence that prosecutors asked for because US district judge Vince Chhabria accepted that Baratov had not been one of the gang’s ringleaders.

“The last 14 months have been a very humbling and eye-opening experience,” Baratov told the court. “There is no excuse for my action…all I can do is promise to be a better man.”

And as for Dokuchaev, Sushchin, and Belan? The three other men the United States would like to question about the Yahoo hack? They’re not expected to see the inside of a US court any day soon.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.